Name – JASPREET SINGH

Registration Number – 16BIT0337

Home Work 8
Q1: Write the SHA 512 logic. What are your observations on round function of SHA 512?.

Ans. The algorithm takes as input a message with a maximum length of less than 2 128 bits

and produces as output a 512-bit message digest. The input is processed in 1024-bit blocks.

The processing consists of the following steps –

Step 1 - Append padding bits. The message is padded so that its length is congruent to 896
modulo 1024 [length = 896(mod 1024)]. Padding is always added, even if the message is already
of the desired length. Thus, the number of padding bits is in the range of 1 to 1024. The padding
consists of a single 1 bit followed by the necessary number of 0 bits.

Step 2- Append length. A block of 128 bits is appended to the message. This block is treated as
an unsigned 128-bit integer (most significant byte first) and contains the length of the original
message in bits (before the padding). The outcome of the first two steps yields a message that is
an integer multiple of 1024 bits in length. In Figure 11.9, the expanded message is represented as
the sequence of 1024-bit blocks M1, M2, …. , MN, so that the total length of the expanded
message is N * 1024 bits.

Step 3- Initialize hash buffer. A 512-bit buffer is used to hold intermediate and final results of
the hash function. The buffer can be represented as eight 64-bit registers (a, b, c, d, e, f, g, h).
These registers are initialized to 64-bit integers. These values are stored in big-endian format,
which is the most significant byte of a word in the low-address (leftmost) byte position. These
words were obtained by taking the first sixty-four bits of the fractional parts of the square roots
of the first eight prime numbers.

Step 4- Process message in 1024-bit (128-byte) blocks. The heart of the algorithm is a module
that consists of 80 rounds. Each round takes as input the 512-bit buffer value, abcdefgh, and
updates the contents of the buffer. At input to the first round, the buffer has the value of the
intermediate hash value, Hi-1. Each round t makes use of a 64-bit value Wt , derived from the
current 1024-bit block being processed (Mi ). These values are derived using a message schedule
described subsequently. Each round also makes use of an additive constant Kt , where 0 … t …
79 indicates one of the 80 rounds. These words represent the first 64 bits of the fractional parts of
the cube roots of the first 80 prime numbers. The constants provide a “randomized” set of 64-bit
patterns, which should eliminate any regularities in the input data. The output of the eightieth
round is added to the input to the first round (Hi-1) to produce Hi . The addition is done
independently for each of the eight words in the buffer with each of the corresponding words in
Hi-1, using addition modulo 264.

Step 5- Output=> After all N 1024-bit blocks have been processed, the output from the Nth stage
is the 512-bit message digest.

We can summarize the behavior of SHA-512 as follows:

H0 = IV, Hi = SUM64(Hi-1, abcdefghi ), MD = HN

Two observations can be made about the round function.

1. Six of the eight words of the output of the round function involve simply permutation (b,
c, d, f, g, h) by means of rotation.
2. Only two of the output words (a, e) are generated by substitution. Word e is a function of
input variables (d, e, f, g, h), as well as the round word Wt and the constant Kt . Word a is
a function of all of the input variables except d, as well as the round word Wt and the
constant Kt.

Q2: SHA 512 follows the similar structure & operations that of its predecessors like SHA-0,
SHA-1. Do you see any vulnerabilities due to this?

Ans. The only "practical" attack against SHA-512 is brute-force. Hypothetically an attacker with
sufficient computational power an attacker can slowly guess every possible password until
eventually finding a match. This attack can be very slow (millions of years if a single average
consumer computer is used to crack a strong password) or only seconds if the password was
"password".
The second type of possible attack can be length extension attack, a length extension attack is a
type of attack where an attacker can use Hash(message1) and the length of message1 to calculate
Hash(message1 ‖ message2) for an attacker-controlled message2. Algorithms like MD5, SHA-1,
and SHA-2 that are based on the Merkle–Damgård construction are susceptible to this kind of
attack.

Q3: Is it possible to develop a block cipher like DES using hash functions? Justify your answer.

Ans. Yes it is possible to build a block cipher like DES using hash functions. To achieve this, we
have to follow a Feistel Structure, which is, incidentally, the same kind of structure than what
DES uses. We need to use the hash function for the "F" part, which combines one (sub)key and
one half of the current block, to produce a value which is to be XORed with the other half of the
current block. The beauty of the scheme is that the "F" function is always invoked in the same
direction, both for encryption and for decryption. Therefore, it can be a one-way function, like a
hash function.

Q4: For SHA 512 show the equations for the words W35, W43.

Ans. The words are calculated as follows –

Wt = σ1512(Wt-2) + Wt-7 + σ 0512(Wt-15) + Wt-16 Therefore,

W35 = σ1512(W33) + W28 + σ 0512(W20) + W19

W43 = σ1512(W41) + W36 + σ 0512(W28) + W27

Q5. Identify the value of the padding field in SHA512 if the length of the message is 2943 bits.

Ans. We can calculate the number of padding bits as follows:

|P| = (-2943-128) mod 1024 = -3071 mod 1024 = 1

Q6. Analyze the security requirements of MAC and HMAC functions.

Ans. In assessing the security of a MAC function, we need to consider the types of attacks that

may be planned against it. The requirements of the function are as follows – 1. If an opponent

observes M and MAC(K, M), it should be computationally infeasible for the opponent to

construct a message M′ such that: MAC(K, M′) = MAC(K, M)

2. MAC(K, M) should be uniformly distributed in the sense that for randomly

chosen messages, M and M′, the probability that MAC(K, M) = MAC(K, M′) is 2-n ,

where n is the number of bits in the tag.

3. Let M′ be equal to some known transformation on M. That is, M′ = f(M). For

example, f may involve inverting one or more specific bits. In that case,

Pr [MAC(K, M) = MAC(K, M′)] = 2-n

The security of HMAC function is listed as under –

1. The attacker is able to compute an output of the compression function even

with an IV that is random, secret, and unknown to the attacker.

2. The attacker finds collisions in the hash function even when the IV is

random and secret.